{"id":3340,"date":"2021-10-18T13:07:17","date_gmt":"2021-10-18T11:07:17","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3340"},"modified":"2026-06-08T22:43:18","modified_gmt":"2026-06-08T22:43:18","slug":"fast-extortion-attacks-no-ransomware","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/fast-extortion-attacks-no-ransomware\/","title":{"rendered":"Fast extortion attacks without ransomware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">We observed a newly identified threat group designated <strong>SnapMC<\/strong> that, within 30 minutes, compromises organizational systems, exfiltrates sensitive data, and demands payment to prevent disclosure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This group <strong>does not deploy ransomware<\/strong>, and therefore shows no interest in data encryption\u2014only in data exfiltration. They typically exploit unpatched <strong>VPN<\/strong> and <strong>webserver<\/strong> instances to breach organizational perimeters and conduct illicit operations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Victims are granted 24 hours to establish contact and 72 hours to reach settlement; however, pressure tactics are applied well before these deadlines. Proof of compromise is provided in the form of a complete inventory of exfiltrated data. If negotiations are not concluded within the specified timeframes, the data is published and the breach is reported to clients and media outlets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> <strong>SnapMC<\/strong>  <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The designation SnapMC derives from their operational speed\u2014&#8221;Snap&#8221;\u2014and their use of the <strong>mc.exe<\/strong> utility for data <strong>exfiltration<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"965\" height=\"97\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/image-4.png\" alt=\"\" class=\"wp-image-3386\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-4.png 965w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-4-300x30.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-4-768x77.png 768w\" sizes=\"(max-width: 965px) 100vw, 965px\" loading=\"lazy\" \/><figcaption>Source:  <a href=\"https:\/\/blog.fox-it.com\/2021\/10\/11\/snapmc-skips-ransomware-steals-data\/\">SnapMC skips ransomware, steals data \u2013 Fox-IT International blog<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">To obtain <strong>initial access<\/strong>, threat actors exploit vulnerabilities<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-18935\" class=\"ek-link\"> <\/a>in the <strong>Telerik<\/strong> user interface for ASP.NET and deploy <strong>SQL injection<\/strong> attacks against webserver applications.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Following successful access, the threat actors execute a payload to establish remote access via <strong>reverse shell<\/strong> and leverage the CVE-2019-18935<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-18935\" class=\"ek-link\"> vulnerability<\/a>. Subsequent reconnaissance operations are conducted through PowerShell commands:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>whoami <\/strong><\/li><li><strong>whoami \/priv <\/strong><\/li><li><strong>wmic logicaldisk get caption, description, provider name<\/strong><\/li><li><strong>net users \/priv <\/strong><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The group performs <strong>privilege escalation<\/strong> activities through PowerShell scripts:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Invoke-Nightmare<\/strong><\/li><li><strong>Invoke-JuicyPotato<\/strong><\/li><li><strong>Invoke-ServiceAbuse<\/strong><\/li><li><strong>Invoke-EventVwrBypass<\/strong><\/li><li><strong>Invoke-PrivescAudit<\/strong><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For <strong>data collection<\/strong>, 7zip and Invoke-SQLcmd scripts are deployed. Artifacts resulting from execution of these utilities are stored in the following directories:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>C:\\Windows\\Temp\\<\/li><li>C:\\Windows\\Temp\\Azure<\/li><li>C:\\Windows\\Temp\\Vmware<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2019-18935<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This vulnerability carries a critical severity rating of <strong>9.8<\/strong> and is exploitable when encryption keys are known due to the presence of<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-11317\" class=\"ek-link\"> CVE-2017-11317<\/a> or <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-11357\" class=\"ek-link\">CVE-2017-11357<\/a>. Exploitation of this vulnerability enables <strong>remote code execution<\/strong>. Beginning with version 2020.1.114, a default configuration prevents exploitation; the same protection is present in version 2019.3.1023 but absent in earlier releases. Detection of such activity requires <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities to identify anomalous post-exploitation behavior patterns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOC<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Payload<\/strong> filename downloaded following successful Telerik exploitation. Composed of the first segment derived from epoch timestamp and the second segment (after the dot) generated randomly:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> C:\\Windows\\Temp[0-9]{10}.[0-9]{1,8}.dll <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>7zip utility<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> 7zip archiving utility <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>SQL cmdlet<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> s.ps1 <\/li><li> a.ps1 <\/li><li>x.ps1<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Directory<\/strong> in which <strong>files created by MinIO<\/strong> are stored:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> C:\\Windows\\Temp\\Vmware\\ <\/li><li> C:\\Windows\\Temp\\Azure\\ <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MinIO client<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>MD5:  651ed548d2e04881d0ff24f789767c0e <\/li><li>SHA1:  b4171d48df233978f8cf58081b8ad9dc51a6097f <\/li><li>SHA256:  0a1d16e528dc1e41f01eb7c643de0dfb4e5c4a67450c4da78427a8906c70ef3e <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The operational model employed by SnapMC\u2014rapid compromise, data exfiltration, and extortion without encryption\u2014represents a distinct threat vector requiring continuous monitoring of unpatched external-facing systems and anomalous data access patterns.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Extortion-only intrusions skipping the encryption stage: rapid data theft, leak-site coercion, response time pressure and detection priorities for security teams.<\/p>\n","protected":false},"author":1,"featured_media":3902,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3191,137,3190,3194,3192,325,3193,380,389],"class_list":["post-3340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-data-theft","tag-exfiltration","tag-extortion","tag-leak-sites","tag-no-encryption","tag-snapmc","tag-speed-of-attack","tag-vpn","tag-whoami"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3340"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3340\/revisions"}],"predecessor-version":[{"id":9865,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3340\/revisions\/9865"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3902"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}